Comments (8)
dbhoot
commented on June 1, 2024
1
Does your request contain an origin header? The cors middleware exits early when there is no origin on the request.
from cors.
jub0bs
commented on June 1, 2024
1
@jjhuff You cannot guarantee that only requests participating in the CORS protocol will hit the resource of interest. Therefore, the CORS middleware must cater for non-CORS requests also, by letting them pass through (hence the "early bailout").
As for cache effectiveness, if at least two discrete origins are allowed in your CORS configuration, the cache middleware needs to specify Vary: Origin; otherwise, cache poisoning becomes a possibility. However, if a single origin or all origins (via the wildcard) are allowed, the CORS middleware can implement this special case without the need to include a Vary: Origin header in responses:
if
Access-Control-Allow-Originis set to * or a static origin for a particular resource, then configure the server to always sendAccess-Control-Allow-Originin responses for the resource — for non-CORS requests as well as CORS requests — and do not useVary.
Neither rs/cors (as you pointed out) nor gin-contrib/cors implement the special case as described by the quote above, but other CORS-middleware libraries do, specifically for better cache effectiveness.
from cors.
jjhuff
commented on June 1, 2024
1
@jub0bs I ended switching to fcors for that reason :) Working great!
from cors.
jub0bs
commented on June 1, 2024
Please post a minimal reproducible example.
from cors.
idc77
commented on June 1, 2024
Almost same here
r := gin.Default()
cfig := cors.DefaultConfig()
cfig.AllowAllOrigins = true
cfig.AddAllowHeaders("authorization")
r.Use(cors.New(cfig))In my case,
the route was defined as
/api/v1/recipe/
but I POSTed to
/api/v1/recipe
which lead to a 307 redirect and no CORS being sent.
from cors.
jub0bs
commented on June 1, 2024
@idc77 Please post a minimal reproducible example, including server and client code. Otherwise, it's all speculations.
from cors.
jjhuff
commented on June 1, 2024
Does your request contain an origin header? The cors middleware exits early when there is no origin on the request.
I'm curious about that early bailout. When you have a mix of CORS (Origin header) and non-CORS requests and a CDN, I think you can run into trouble. See here: https://fetch.spec.whatwg.org/#cors-protocol-and-http-caches
https://github.com/rs/cors seems to take the path of always setting Vary: Origin, which I'm not a fan of since it reduces the effectiveness of the CDN when you have lots of different origins.
from cors.
jub0bs
commented on June 1, 2024
@jjhuff But you're right that systematically including Vary: Origin in responses that contain Access-Control-Allow-Origin: * is not ideal for cache effectiveness.
from cors.
Related Issues (20)
- Snyk vulnerability HTTP Response Splitting on older version of github.com/gin-gonic/gin HOT 3
- Shouldn't Be Returning * When Allow-Credentials and Allow-All-Origins are Set to True
- React & React Native Issue
- update README file
- Allow All Headers
- No way to disable caching of CORS-preflight responses
- Users currently cannot allow methods that are not uppercase HOT 1
- Repo documentatoin website (github pages URL) is broken - 404 error HOT 1
- Weird Access-Control-Allow-Headers CORS Bug HOT 1
- Register tauri:// scheme (or allow custom schemes upstream?)
- Cors error HOT 2
- error in parseWildcardRules when asterisk at the end HOT 2
- Timing-Allow-Origin support
- CORS not working, even with `cors.Default()` HOT 1
- Feature Proposal: Config.MatchPaths HOT 1
- it doesn't work HOT 11
- I can't use cors.default() to allow all origin haeder. HOT 5
- [Notice] Preflight with no origin will return OPTIONS 404 HOT 1
- CORS error with added header HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cors.